Ch 1: Introducing Windows XP · Web viewUsing updated versions of DNS server software prevents...
Transcript of Ch 1: Introducing Windows XP · Web viewUsing updated versions of DNS server software prevents...
Chapter 4: Network Vulnerabilities and Attacks
Cyberwar and Cyberterrorism"Titan Rain" - Attacks on US gov't and military computers from China breached hundreds of systems in
2005 (link Ch 4a)In 2007, Estonia was attacked by Russian computers as a political statement
Using DDoS (Distributed Denial of Service) with botnets (Ch 4b)ObjectivesExplain the types of network vulnerabilitiesList categories of network attacksDefine different methods of network attacksNetwork VulnerabilitiesMedia-Based VulnerabilitiesMonitoring network traffic
Helps to identify and troubleshoot network problemsMonitoring traffic can be done in two ways
Use a switch with port mirroringCopies all traffic to a designated monitoring port on the switch
Install a network tap (test access point)A device that installed between two network devices, such as a switch, router, or firewall,
to monitor trafficPort Mirroring
CNIT 123 – Bowne Page 1 of 12
Chapter 4: Network Vulnerabilities and Attacks
Sniffer
Network Tap
Sniffing AttacksJust as network taps and protocol analyzers can be used for legitimate purposes
They also can be used by attackers to intercept and view network trafficAttackers can access the wired network in the following ways:
False ceilings Exposed wiring Unprotected RJ-45 jacks
CNIT 123 – Bowne Page 2 of 12
Chapter 4: Network Vulnerabilities and Attacks
Ways to Redirect Switched Traffic
Network Device VulnerabilitiesPasswords
Passwords should be long and complex Should be changed frequently Should not be written down
But that is a difficult task Solution: Password Manager Software (link Ch 4d)Characteristics of Weak PasswordsA common word used as a passwordNot changing passwords unless forced to do soPasswords that are shortPersonal information in a passwordUsing the same password for all accountsWriting the password downNetwork Device VulnerabilitiesDefault account
A user account on a device that is created automatically by the device instead of by an administrator
Used to make the initial setup and installation of the device (often by outside personnel) easier
Although default accounts are intended to be deleted after the installation is completed, often they are not
Default accounts are often the first targets that attackers seek
CNIT 123 – Bowne Page 3 of 12
Chapter 4: Network Vulnerabilities and Attacks
ATM PasswordsIn 2008, these men used default passwords to reprogram ATM machines to hand out
$20 bills like they were $1 bills Link Ch 4e
Network Device VulnerabilitiesBack door
An account that is secretly set up without the administrator’s knowledge or permission, that cannot be easily detected, and that allows for remote access to the device
Back doors can be created: By a virus, worm, or
Trojan horse By a programmer of the
software on the device Built into the hardware
chipsHardware Trojans Military equipment contains chips
from foreign countriesThose chips can contain backdoors
or kill switches Link Ch 4e
Privilege escalation Changing a limited user
to an AdministratorLink Ch 4g
CNIT 123 – Bowne Page 4 of 12
Chapter 4: Network Vulnerabilities and Attacks
Categories of AttacksDenial of Service (DoS)Attempts to consume
network resources so that the network or its devices cannot respond to legitimate requests
Example: SYN flood attack
Distributed denial of service (DDoS) attack
A variant of the DoS
May use hundreds or thousands of zombie computers in a botnet to flood a device with requests
Real DDoS Attack Link Ch 4i
Wireless DoSRequires a
powerful transmitter
CNIT 123 – Bowne Page 5 of 12
Chapter 4: Network Vulnerabilities and Attacks
An Easier Wireless DoS
SpoofingSpoofing is impersonation
Attacker pretends to be someone elseMalicious actions would be attributed to another userSpoof the network address of a known and trusted hostSpoof a wireless router to intercept trafficMan-in-the-Middle AttackPassive--attacker reads trafficActive--attacker changes trafficCommon on networks
Replay AttackAttacker captures dataResends the same data later
A simple attack: capture passwords and save them
CNIT 123 – Bowne Page 6 of 12
Chapter 4: Network Vulnerabilities and Attacks
Wall of SheepCaptured passwords
projected on the wall at DEFCON
Link Ch 4j
SidejackingRecords cookies and
replays them (link Ch 4k)
This technique breaks into Gmail accounts
Technical name: Cross Site Request Forgery
Almost all social networking sites are vulnerable to this attack
Facebook, MySpace, Yahoo, etc.
CNIT 123 – Bowne Page 7 of 12
Chapter 4: Network Vulnerabilities and Attacks
Methods of Network AttacksSNMP (Simple Network Management Protocol)Used to manage switches, routers, and other network devicesEarly versions did not encrypt passwords, and had other security flawsBut the old versions are still commonly usedDNS (Domain Name System)DNS is used to resolve
domain names like www.ccsf.edu to IP addresses like 147.144.1.254
DNS has many vulnerabilities
It was never designed to be secure
DNS PoisoningLocal DNS Poisoning Put false entries into the Hosts fileC:\Windows\System32\Drivers\etc\hosts
CNIT 123 – Bowne Page 8 of 12
Chapter 4: Network Vulnerabilities and Attacks
DNS Cache PoisoningAttacker sends many
spoofed DNS responses
Target just accepts the first one it gets
Sending Extra DNS Records
DNS TransfersIntended to let a new
DNS server copy the records from an existing one
Can be used by attackers to get a list of all the machines in a company, like a network diagram
Usually blocked by modern DNS servers
Protection from DNS AttacksAntispyware software will warn you when the hosts file is modifiedUsing updated versions of DNS server software prevents older DNS attacks against the serverBut many DNS flaws cannot be patchedEventually: Switch to DNSSEC (Domain Name System Security Extensions)
But DNSSEC is not widely deployed yet, and it has its own problems Link Ch 4l
CNIT 123 – Bowne Page 9 of 12
Chapter 4: Network Vulnerabilities and Attacks
ARP (Address Resolution Protocol)ARP is used to convert IP addresses like 147.144.1.254 into MAC addresses like 00-30-48-82-11-34
ARP Cache PoisoningAttacker sends many
spoofed ARP responses
Target just accepts the first one it gets
Results of ARP Poisoning Attacks
CNIT 123 – Bowne Page 10 of 12
Chapter 4: Network Vulnerabilities and Attacks
TCP/IP Hijacking Takes advantage of a weakness in the TCP/IP protocol The TCP header contains of two 32-bit fields that are used as packet counters
Sequence and Acknowledgement numbers Packets may arrive out of order
Receiver uses the Sequence numbers to put the packets back in order
Wireless AttacksRogue access points
Employees often set up home wireless routers for convenience at work This allows attackers to bypass all of the network security and opens the entire network and
all users to direct attacks
An attacker who can access the network through a rogue access point is behind the company's firewall
Can directly attack all devices on the network
CNIT 123 – Bowne Page 11 of 12
Chapter 4: Network Vulnerabilities and Attacks
War driving Beaconing
At regular intervals, a wireless AP sends a beacon frame to announce its presence and to provide the necessary information for devices that want to join the network
ScanningEach wireless device looks for those beacon frames
Unapproved wireless devices can likewise pick up the beaconing RF transmission Formally known as wireless location mapping War driving technically involves using an automobile to search for wireless signals over a
large area Tools for conducting war driving:
Mobile computing deviceWireless NIC adaptersAntennasGlobal positioning system receiverSoftware
Bluetooth A wireless technology that uses short-range RF transmissions Provides for rapid “on the fly” and ad hoc connections between devices
Bluesnarfing Stealing data through a Bluetooth connection E-mails, calendars, contact lists, and cell phone pictures and videos, …
Other Attacks and FraudsNull SessionsConnections to a Microsoft Windows 2000 or Windows NT computer with a blank username and
passwordAttacker can collect a lot of data from a vulnerable systemCannot be fixed by patches to the operating systemsMuch less of a problem with modern Windows versions, Win XP SP2, Vista, or Windows 7Domain Name KitingCheck kiting
A type of fraud that involves the unlawful use of checking accounts to gain additional time before the fraud is detected
Domain Name Kiting Registrars are organizations that are approved by ICANN to sell and register Internet domain
names A five-day Add Grade Period (AGP) permits registrars to delete any newly registered
Internet domain names and receive a full refund of the registration feeDomain Name KitingUnscrupulous registrars register thousands of Internet domain names and then delete them Recently expired domain names are indexed by search enginesVisitors are directed to a re-registered site
Which is usually a single page Web with paid advertisement linksVisitors who click on these links generate money for the registrar
Last modified 2-5-09
CNIT 123 – Bowne Page 12 of 12